From: XIAO Gang <xiao@unice.fr>
To: linux-kernel@vger.kernel.org
Subject: Need help for sysmask
Date: Fri, 03 Jun 2005 08:32:43 +0200 [thread overview]
Message-ID: <429FF98B.2000505@unice.fr> (raw)
Could somebody please help me with comments / checks / tests on my
kernel security patch "sysmask"? See http://wims.unice.fr/sysmask/doc/
for documentation and download.
This is a security project designed to allow set up systems that
tolerate (controlled) executions of arbitrary malicious codes without
being hurt. In practice, this means that the majority of current
security updates due to vulnerabilities in software, library or even
parts of the kernel will become unnecessary.
The code is now much stabilized after several weeks of intensive test on
a busy server (http://wims.unice.fr/), including a demo challenge page
(http://wims.unice.fr/wims/wims.cgi?module=adm/unice/challenge) that has
been bombarded with all sorts of tricks. The server runs on a patched
2.4.29, SMP-enabled but there is only one cpu in the hardware.
Sysmask is rather ready for a 1.00 release. But before doing so, it
would be great if the following problem could be solved with your help.
1. I hope that somebody can give it a test on other hw/sw configurations
with result feedback, especially for the 2.6 kernel versions and
hopefully on a true SMP with a good load level.
It would be best if some tests could be done with full activation of the
protection. For this some manual editing of the default sysmask
configuration files would be necessary. But this should be quite
straightforward, and the footprint of sysmask on an existing system is
strictly minimal, with only one file (/etc/inittab) that needs to be
modified in order to fully activate it.
2. Although I am not planning to submit the patch to the official kernel
immediately, it would like to be able to make it more conform to the
kernel standards and conventions. Among others, I need your help to
solve some known problemes, the biggest being squatting an existing
syscall number (sys_mpx). Of course this is just a temporary solution,
due to the fact that I don't know how to get a permanent one.
3. Another example is that the current patch adds a few hundred bytes
(200-300) to the size of task_struct. Is this potentially a problem,
should it be moved to a page allocation?
Please give me a cc if you reply to this message; I am not constantly following the list.
--
XIAO Gang (~{P$8U~}) xiao@unice.fr
home page: pcmath126.unice.fr/xiao.html
reply other threads:[~2005-06-03 6:32 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=429FF98B.2000505@unice.fr \
--to=xiao@unice.fr \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox